IBM Support

AIX: Setting up sendmail as a relay that uses SASL authentication

How To


Summary

Starting with AIX 7.3, SASL authentication support is added to sendmail. Use the following steps as a guide to setting this up.

Steps

On the relay server side

Assuming you are starting with a default /etc/mail/sendmail.cf file, make a backup of it, and make the following changes to it.
 
Search for this section:
# Hosts for which relaying is permitted ($=R)
# FR-o /etc/mail/relay-domains
 
Uncomment the FR-o line:
# Hosts for which relaying is permitted ($=R)
FR-o /etc/mail/relay-domains
 
Search for this section:
# SMTP daemon options
# Name used for error messages and logging
O DaemonPortOptions=Name=MTA
 
Modify it:
# SMTP daemon options
# Name used for error messages and logging
O DaemonPortOptions=Name=MTA, M=Ea
 
 
Search for this section:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
 
Leave the existing line commented, and add these lines:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
C{TrustAuthMech}EXTERNAL GSSAPI OTP DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
 
 
 
After that is done, save the sendmail.cf file. Next, create the /etc/mail/relay-domains file, and populate it with the domains you want to allow relaying from:
 
austin.ibm.com
xyz.domain.com
 

Create a user in the SASL database:
# saslpasswd dummyuser
<enter a password; for this example I'll use 12345>
 
 
Run the following command to verify the user is added to the SASL database:
 
# sasldblistusers
That command should show the username with the hostname or FQDN hostname appended to it:
dummyuser@hostname.domain.com: userPassword
dummyuser@hostname.domain.com: cmusaslsecretOTP
 
If that command fails due to being unable to load libsasldb.a, then you need a fix for IJ42911 / IJ40668. Contact AIX support for an ifix if this is not shipped in your current service pack.

Stop and restart the sendmail daemon:
 
# stopsrc -s sendmail 
# startsrc -s sendmail -a "-bd -q30m"
 
 
On the client side

Create an authinfo directory inside of /etc/mail:
# mkdir /etc/mail/authinfo

Change permissions:
# chmod 750 /etc/mail/authinfo
# ls -ld /etc/mail/authinfo
drwxr-x---    2 root     system          256 Sep 02 13:37 /etc/mail/authinfo
 
 
Create a file in this directory called smtp-auth which contains the user that was created on the relay - with the hostname or  FQDN of the relay appended, like sasldblistusers showed earlier - and the password:
 
AuthInfo: "U:root" "I:dummyuser@hostname.domain.com" "P:12345"
 
Important note:  Some SMTP servers may reject the SMTP user if it contains the "@hostname.domain.com" portion.  If authentication fails even though the password is correct, try removing the "@hostname.domain.com" part, rebuild the hash map, and try again.
 
Turn this file into a hash map:
 
# makemap hash smtp-auth < smtp-auth
 

After that step, in /etc/mail/authinfo directory, you will see:
 
# ls -l /etc/mail/authinfo
-rw-r--r--    1 root     system           73 Sep 02 13:36 smtp-auth
-rw-r-----    1 root     system        12288 Sep 02 13:37 smtp-auth.db
 
Change the group of the /etc/mail/authinfo directory and the smtp-auth files in it.
 
# chown -R root:smmsp /etc/mail/authinfo

# ls -ld /etc/mail/authinfo
drwxr-x---    2 root     smmsp           256 Sep 02 13:37 authinfo

# ls -l /etc/mail/authinfo
-rw-r--r--    1 root     smmsp            73 Sep 02 13:36 smtp-auth
-rw-r-----    1 root     smmsp         12288 Sep 02 13:37 smtp-auth.db
 
 
Since the password in the smtp-auth file is world readable, change permissions:
 
# chmod 640 /etc/mail/authinfo/smtp-auth
# ls -l /etc/mail/authinfo/smtp-auth
-rw-r-----    1 root     smmsp            73 Sep 02 13:36 /etc/mail/authinfo/smtp-auth
 
NOTE:
These next instructions assume your client has a submit.cf file with a populated DS entry in it to specify your external mail relay, which allows it to communicate directly with the remote mail relay and is not dependent on the sendmail daemon - in this case, the sendmail daemon does not even need to be running on this system. This is a good way to do it so that you don't unnecessarily have the sendmail daemon running and listening on port 25.

As such, the instructions below tell you to modify the submit.cf file.

If your client system IS running the sendmail daemon, and either -
 
1) your submit.cf file has an empty DS entry, meaning it will need to interact with the local sendmail daemon which then contacts the external relay, and you want to keep it that way
 
or
 
2) you don't have a submit.cf file at all
 
- the configuration changes will be the same, except instead of modifying submit.cf, you will make the modifications to the same sections in sendmail.cf. After making those changes to sendmail.cf, restart the daemon with 'stopsrc -s sendmail' and 'startsrc -s sendmail -a "-bd -q30m"'.
 
 
 

Assuming a default submit.cf file, make a backup of it, and make the following changes to /etc/mail/submit.cf.

 
 
Look for the DS relay entry:
# "Smart" relay host (may be null)
DS
If no relay is specified there, then modify it to specify your SASL relay server:
# "Smart" relay host (may be null)
DShostname.domain.com
 
Look for this section:
# arithmetic map
Karith arith
 
Add the following line below it:
# arithmetic map
Karith arith
Kauthinfo hash /etc/mail/authinfo/smtp-auth
 
Look for this section:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
 
 
Add the following line below it:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
O AuthMechanisms=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
 
 
Look for this section:
######################################################################
###  authinfo: lookup authinfo in the access map
###
###     Parameters:
###             $1: {server_name}
###             $2: {server_addr}
######################################################################
Sauthinfo
 
 
Then add the following block directly below that:
######################################################################
###  authinfo: lookup authinfo in the access map
###
###     Parameters:
###             $1: {server_name}
###             $2: {server_addr}
######################################################################
Sauthinfo
R$*             $: <$(authinfo AuthInfo:$&{server_name} $: ? $)>
R<?>    $: <$(authinfo AuthInfo:$&{server_addr} $: ? $)>
R<?>    $: <$(authinfo AuthInfo: $: ? $)>
R<?>    $@ no                           no authinfo available
R<$*>   $# $1
 

Note that in the final block shown there, with the R entries, you must maintain tabs in the correct places. To show that more clearly:

 
R$*<TAB><TAB>$: <$(authinfo AuthInfo:$&{server_name} $: ? $)>
R<?><TAB>$: <$(authinfo AuthInfo:$&{server_addr} $: ? $)>
R<?><TAB>$: <$(authinfo AuthInfo: $: ? $)>
R<?><TAB>$@ no                           no authinfo available
R<$*><TAB>$# $1
 
Replace each instance of <TAB> with an actual tab character. The other whitespace seen in the block will be space characters.
At this point, you are done modifying the submit.cf file.
 
 
Attempt sending mail from this client:
# echo test | mail -vvv -s "test mail" myaddr@domain.com
 
 
If things go as expected, you will see 'OK Authenticated' in the debug output, and the mail is sent to its recipient.
 
If you see an error such as 'Deferred: Connection refused by [127.0.0.1]', you can modify the MTAHost entry in /etc/mail/submit.cf to add your SASL sendmail relay server:
 
#D{MTAHost}[127.0.0.1]
D{MTAHost}[hostname.domain.com]
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxaAAA","label":"Communication Applications-\u003ESENDMAIL\/MAIL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0"}]

Document Information

Modified date:
08 December 2025

UID

ibm16960607

Page Feedback